Page 1 of 1

Feature request - DNSCrypt support...

Posted: Mon Jan 30, 2012 7:55 am
by ibeeby
I'd be grateful if Mikrotik could consider adding DNSCrypt _urgently_ to the current and future versions of ROS.

DNSCrypt has been released by DYNDNS.org as open-source code and allows users to effectively wrap DNS requests to DYNDNS servers in an SSL layer. This significantly improves security for users in public networks but should also add security for businesses against eavesdropping and man-in-the-middle attacks.

Currently the only client support for DNSCrypt is an OS-X release from DYNDNS.org but as they have published the source code, it _must_ be straightforward for Mikrotik to add this as a package option.

All of my WAN facing Mikrotik routers use DYNDNS.org as their DNS servers as this allows free and effective filtering to avoid phishing sites and illegal content (which is flexibly adjustable by the user/manager).

Best Regards

Ian Beeby

Re: Feature request - DNSCrypt support...

Posted: Sun Feb 26, 2012 6:07 pm
by vetusa2
i add my request too

Re: Feature request - DNSCrypt support...

Posted: Sun Jul 14, 2013 7:28 am
by dmitrik
I vote for DNSCrypt.
OpenDNS supports DNSCrypt. I use Mikrotik as DNS proxy to OpenDNS.

Re: Feature request - DNSCrypt support...

Posted: Tue Jan 21, 2014 5:48 pm
by Shnatsel
I'd also love RouterOS to support DNSCrypt!
Right now I have to run it locally on every machine on the network and reconfigure the network settings on every machine for every connection - which tedious and it's easy to miss a connection or a machine and then DNS goes in the clear again... EWWW.

If I could just get it on the router as a package all that hassle wouldn't be necessary!

Re: Feature request - DNSCrypt support...

Posted: Tue Jan 21, 2014 5:50 pm
by Shnatsel
I'd also love RouterOS to support DNSCrypt!
Right now I have to run it locally on every machine on the network and reconfigure the network settings on every machine for every connection - which tedious and it's easy to miss a connection or a machine and then DNS goes in the clear again... EWWW.

If I could just get it on the router as a package I could get rid of all that hassle with manually editing every single connection on every single machine!

Re: Feature request - DNSCrypt support...

Posted: Sat Feb 22, 2014 3:29 pm
by chrismfz
That's old but hey.. never give up!

It should be great. Selecting already existing DNSes like cloudns or dnscrypt.eu or opendns
(or adding ours) would be great too. :D
spending power and $ to have always-on an old hardware server only for dns or running the dnscrypt-proxy anywhere when we got mikrotik it's a torture.

(Especially when there are devices that can't support it like cellphones, or in points which you offer wifi / internet and you want all dns traffic forced to dnscrypt)

Re: Feature request - DNSCrypt support...

Posted: Sat Mar 01, 2014 9:23 pm
by nosovk
it would be nice option :)

Re: Feature request - DNSCrypt support...

Posted: Wed Mar 26, 2014 1:59 pm
by pdf
I agree it would be nice to have it somewhere in the future

Re: Feature request - DNSCrypt support...

Posted: Thu May 22, 2014 10:25 pm
by IntrusDave
Add me to the list. Right now I keep a little 1U Atom box just for running things like DNSCrypt. I'd love to move that to my CCR1016

Re: Feature request - DNSCrypt support...

Posted: Sat Jun 28, 2014 1:41 pm
by tweetyspn
Totally agree, nice feature!

Re: Feature request - DNSCrypt support...

Posted: Thu Oct 09, 2014 9:49 am
by andryan
+1

Would be really useful to bypass DNS-based censorship

Re: Feature request - DNSCrypt support...

Posted: Thu Oct 09, 2014 10:56 am
by kurlais
be fine, if version 7 will support ikev2 vpn.

that is to use blackberry z10

Re: Feature request - DNSCrypt support...

Posted: Sun Dec 07, 2014 11:43 pm
by alexkuzko
Vote for this as well! Currently there is no proper method and using metarouter is too complex/heavy.

Re: Feature request - DNSCrypt support...

Posted: Sun Apr 12, 2015 1:10 am
by Solaris
+1 for dnscrypt!

Re: Feature request - DNSCrypt support...

Posted: Sun May 17, 2015 11:38 am
by bloodroses
+i it should have, security at first position !

Re: Feature request - DNSCrypt support...

Posted: Fri Jun 19, 2015 10:26 am
by shaneau
Would be a welcome addition to routeros.

Re: Feature request - DNSCrypt support...

Posted: Mon Jun 22, 2015 1:35 am
by nemke
+1 for dnscrypt!

Re: Feature request - DNSCrypt support...

Posted: Sat Aug 08, 2015 9:55 pm
by etm7469
+1 for dnscrypt!

Re: Feature request - DNSCrypt support...

Posted: Fri Aug 14, 2015 6:13 pm
by jo2jo
this would be Amazing if ROS supported DNSCrypt. would really open up alot of potentail buyers to ROS just for this one feature in a home router that doesnt require alot of linux+setup.

tks

Re: Feature request - DNSCrypt support...

Posted: Sat Aug 15, 2015 7:17 pm
by nemke
+1 for DNSCrypt support...

Re: Feature request - DNSCrypt support...

Posted: Fri Aug 21, 2015 3:53 pm
by bhorrock
+1 for DNSCrypt !!

Re: Feature request - DNSCrypt support...

Posted: Fri Sep 04, 2015 9:59 am
by minjun
+1 for DNSCrypt.

Posted: Fri Sep 04, 2015 2:48 pm
by michaeln416
+1 for DNSCrypt !!

Sent from my Nexus 5 using Tapatalk

Re: Feature request - DNSCrypt support...

Posted: Tue Sep 08, 2015 4:23 pm
by Zorro
do its better than DNSCurve ?
or just another, proprietary implementation/port of ?

Re: Feature request - DNSCrypt support...

Posted: Mon Nov 09, 2015 12:56 pm
by MikroTikFan
+1 for DNSCrypt.

When ?

Re: Feature request - DNSCrypt support...

Posted: Wed Nov 25, 2015 11:10 pm
by pidybi
+1 for DNSCrypt
+1 ;)

currently I'm using dnscrypt-proxy by Cisco on Tomato and my log is:
Nov 24 00:03:12 | daemon.notice dnscrypt-proxy[1099]: Starting dnscrypt-proxy 1.4.1
Nov 24 00:03:12 | daemon.info dnscrypt-proxy[1099]: Initializing libsodium for optimal performance
Nov 24 00:03:12 | daemon.info dnscrypt-proxy[1099]: Generating a new key pair
Nov 24 00:03:12 | daemon.info dnscrypt-proxy[1097]: Server certificate #143xxx4751 received
Nov 24 00:03:12 | daemon.info dnscrypt-proxy[1097]: This certificate looks valid
Nov 24 00:03:12 | daemon.info dnscrypt-proxy[1097]: Chosen certificate #143xxx4751 is valid from [2015-07-03] to [2016-07-02]
Nov 24 00:03:12 | daemon.info dnscrypt-proxy[1097]: Server key fingerprint is xxx9:BFBA:FAFC:9257:DFDC:68C7:69BF:AC24:94CD:743F:3C1D:4966:134D:FE2C:4BDC:Fxxx
Nov 24 00:03:12 | daemon.notice dnscrypt-proxy[1097]: Proxying from 127.0.0.1:40 to 208.67.220.220:443
:)

Re: Feature request - DNSCrypt support...

Posted: Mon Dec 28, 2015 8:42 pm
by Zorro
+1 for DNSCrypt
)
i think you missed whole point of suggested by OP,changes/features, ie ability to do it Without tunnels of Any kind.
otherwise you can "anything over VPN" around Globe, anyway, but its eventually consume Lot more resources and attract Lot more /unwanted/redundant/ attention.

Re: Feature request - DNSCrypt support...

Posted: Tue Dec 29, 2015 9:05 am
by IntrusDave
i think you missed whole point of suggested by OP,changes/features, ie ability to do it Without tunnels of Any kind.
otherwise you can "anything over VPN" around Globe, anyway, but its eventually consume Lot more resources and attract Lot more /unwanted/redundant/ attention.
No one said anything about tunnels or VPN. He said that he was using DNSCrypt-Proxy on tomato for his DNS. Just as many of us are. The whole point of DNSCrypt is to send the DNS through an encrypted tunnel.

Re: Feature request - DNSCrypt support...

Posted: Tue Dec 29, 2015 10:05 pm
by Zorro
i think you missed whole point of suggested by OP,changes/features, ie ability to do it Without tunnels of Any kind.
otherwise you can "anything over VPN" around Globe, anyway, but its eventually consume Lot more resources and attract Lot more /unwanted/redundant/ attention.
No one said anything about tunnels or VPN. He said that he was using DNSCrypt-Proxy on tomato for his DNS. Just as many of us are. The whole point of DNSCrypt is to send the DNS through an encrypted tunnel.
yes, but low-overhead "embedded" implementation. similarly - nobody would call SSH "tunnel" instead of serious VPN's or atleast IPIP, EOIP, despite similarity.

Re: Feature request - DNSCrypt support...

Posted: Thu Jan 07, 2016 12:37 am
by MikroTikFan
Please consider that DSNCrypt can use a lot of resolvers in different part of the World without establishing payed commercial VPN.

https://github.com/jedisct1/dnscrypt-pr ... olvers.csv

Please keep in mind also that for some solutions with big traffic you don't need to use VPN which is quite heavy traffic for you router instead of this using just only DNSCrypt.

I think that this feature will be very usefull and rest of routers solutions support DNSCrypt ;-)

Re: Feature request - DNSCrypt support...

Posted: Tue Jan 12, 2016 2:55 am
by Zorro
I think that this feature will be very usefull and rest of routers solutions support DNSCrypt
i think too.
aswell as "next-gen" things in that area, that already emerged and ought to replace DNSCrypt. aside mentioned above DNSCurve - there some other code, but somewhat unstable, yet in 1/3 of.
but what i don't think its this features - shouldn't be part of "default config" of DNS services(either MT implement it as part of Main DNS service or separate package).

Re: Feature request - DNSCrypt support...

Posted: Tue Feb 02, 2016 9:31 pm
by prd0000
+1 this.
I would like DNS crypt too. Right now we maintain VPN connection to our headquarter across the globe just to get our DNS addresses securely. other option is to install a "heavy" 128MB RAM 8GB linux built solely for DnsCrypt. I would like to cut that and maintain our own secure DNS resolver, but spending unnecessary resource for that tiny function seems beyond logic.

Re: Feature request - DNSCrypt support...

Posted: Wed Mar 30, 2016 4:09 pm
by колбаскин
+1 please add DNSCrypt support :)

Re: Feature request - DNSCrypt support...

Posted: Mon Apr 04, 2016 5:17 am
by arxont
+1 vote to DNSCrypt

Re: Feature request - DNSCrypt support...

Posted: Fri May 20, 2016 1:31 pm
by Micat
I vote for DNSCrypt

Re: Feature request - DNSCrypt support...

Posted: Thu May 26, 2016 1:42 pm
by Dok
+1 for DNSCrypt

Re: Feature request - DNSCrypt support...

Posted: Wed Jun 01, 2016 10:00 am
by thevoidnn
+1 for DNSCrypt

Re: Feature request - DNSCrypt support...

Posted: Sat Jun 18, 2016 11:18 pm
by flexus
+1, vote for dnscrypt.

This already supports Tomato and OpenWRT! Need it in RoS :)

https://dnscrypt.org/#dnscrypt-routers

Re: Feature request - DNSCrypt support...

Posted: Sun Jun 19, 2016 12:53 am
by irghost
+1, vote for dnscrypt.

Re: Feature request - DNSCrypt support...

Posted: Mon Jul 11, 2016 12:11 am
by SystemErrorMessage
Wow, this thread was started years ago and still mikrotik hasnt implemented this. +1 for this feature to overcome ISP DNS hijacking as this has been an issue for me. Please implemented as soon as possible, the implementation is already available from github so all that remains is for mikrotik to adapt it to routerOS.

I know mikrotik is focused on being a good router but DNScript is a network related feature that is very beneficial so please add this. Im not expecting an all in one router from mikrotik but i want all in one when it comes to network features, i want snort and an antivirus on routerOS as well.

Re: Feature request - DNSCrypt support...

Posted: Sat Jul 16, 2016 6:31 pm
by ChangzhouC
+1 for DNSCrypt

Re: Feature request - DNSCrypt support...

Posted: Tue Jul 26, 2016 12:59 pm
by wirSeefahrer
+1 for DNSCrypt

That would be a really great feature to have even in countries like Sweden. :-)

Re: Feature request - DNSCrypt support...

Posted: Thu Aug 18, 2016 6:53 am
by Jacquesvw
+1 for DNScrypt

Re: Feature request - DNSCrypt support...

Posted: Wed Sep 21, 2016 1:03 am
by chebedewel
A nice feature indeed, it could be added along with DNSSec support

Re: Feature request - DNSCrypt support...

Posted: Sun Nov 13, 2016 3:11 pm
by chrisk8er
+1 for DNScrypt 8)

Re: Feature request - DNSCrypt support...

Posted: Sun Nov 13, 2016 3:41 pm
by agix
Vote for DNSCrypt yeaa...!!!

Re: Feature request - DNSCrypt support...

Posted: Thu Nov 24, 2016 10:45 am
by SaeedYa
+1 for Dns crypt

Re: Feature request - DNSCrypt support...

Posted: Thu Nov 24, 2016 10:48 am
by normis
Doesn't this supersede DNScrypt, plus, is now an accepted standard? https://tools.ietf.org/html/rfc7858

But it is still a very fresh RFC

Re: Feature request - DNSCrypt support...

Posted: Sun Dec 18, 2016 11:05 pm
by majestic
Thanks, this is the first time ive seen this RFC being mentioned. Thank you.

I was about to say +1 for adding this feature but to also to allow for custom dnscrypt installs (i.e support custom provider-key, provider-name and providor address) as a lot of us don't use OpenDNS or any other open public server(s). Some of us run our own dns inferstructure which we also have dnscrypt support.

However now that I know they are working on something, I will start investigating when bind/unbound etc will get this support (out of the box). Hopefully soon, meanwhile I would say that dnscrypt support would really help many of us to add to your existing products as a lot of customers use this and with the new laws recently announced, more and more will be jumping onto the boat to use encryption everywhere.

FYI: https://github.com/jedisct1/dnscrypt-proxy is the source(s) you need.

This is all you need (client wise), so if mikrotik had this support as in binary/package, it would solve our issues or we are forced to run additional hardware to support this in our networks i.e. rpi, nas etc assuming soho user here.

Thanks for the heads up btw.

Regards.

Re: Feature request - DNSCrypt support...

Posted: Sat Jan 07, 2017 11:49 pm
by mtivi
+1
Would be very usefull in Russia, for example

Re: Feature request - DNSCrypt support...

Posted: Tue Jan 17, 2017 11:32 pm
by strn
I'm using dnscrypt via a raspberry in combination with pi-hole and OpenDNS. Works perfectly for alle my internal clients and I dont have to use a dnscrypt proxy on every mashine. If anyone is interested in configuring it (especially as their are some compatibility tricks you have to be aware of) I can provide you a the required steps to make it work :)

Re: Feature request - DNSCrypt support...

Posted: Tue Feb 14, 2017 5:31 pm
by SystemErrorMessage
Not many would use a raspberry pi to supplement what their routers cant do. Even i run cups and xsane on raspberry pi as well.

This feature is an absolute must because of the DNS proxy/hijacking done by ISPs and is a big problem for me and other people as my DDNS domain is blacklisted by many ISPs only because of the domain it is under which makes it harder for me.

Plenty of other reasons such as for businesses that want to implement their own domain system and to use DNScrypt as routerOS cannot first form a tunnel to the DNS server without a static IP so which not only resolves the issue of ISPs handling your DNS by force but also to secure your DNS so that it does not get attacked by hackers and such.

Re: Feature request - DNSCrypt support...

Posted: Tue Mar 07, 2017 8:33 pm
by ab0tj
I would also like to add my vote for DNScrypt support! I currently run a separate server for this.

Re: Feature request - DNSCrypt support...

Posted: Tue Mar 07, 2017 8:36 pm
by majestic
I would also like to add my vote for DNScrypt support! I currently run a separate server for this.
likewise.

Re: Feature request - DNSCrypt support...

Posted: Mon Mar 20, 2017 1:25 am
by MikroTikFan
+1 for DNSCrypt - again, again and again ...

Mikrotik developers how long we should wait ?

Customer feedback is this days something important for You ?

Re: Feature request - DNSCrypt support...

Posted: Mon Mar 20, 2017 2:10 am
by td32
its 2017 and this must be a priority feature.

Re: Feature request - DNSCrypt support...

Posted: Wed Mar 29, 2017 1:23 am
by R1CH
With the US pushing an agenda that erodes privacy, DNSCrypt support is going to become essential to prevent ISPs from being able to monitor and monetize your browsing habits. Hope to see this in a release sooner rather than later.

https://www.washingtonpost.com/news/the ... otections/

Re: Feature request - DNSCrypt support...

Posted: Mon Apr 03, 2017 1:20 am
by teodorch
+1

Sent from my Nexus 5 using Tapatalk

Re: Feature request - DNSCrypt support...

Posted: Mon Apr 03, 2017 1:21 am
by teodorch
+1

Sent from my Nexus 5 using Tapatalk

Re: Feature request - DNSCrypt support...

Posted: Mon Apr 03, 2017 1:21 am
by teodorch
+1

Sent from my Nexus 5 using Tapatalk

Re: Feature request - DNSCrypt support...

Posted: Mon Apr 03, 2017 3:11 pm
by ryz
+1

Wysłane z mojego GT-I9195 przy użyciu Tapatalka

Re: Feature request - DNSCrypt support...

Posted: Sun Apr 16, 2017 10:20 am
by actck
+1 is very helpful with dns poisoning.

We need this feature and request another feature: custom the dns server port in "IP -> DNS Settings"

Re: Feature request - DNSCrypt support...

Posted: Mon Apr 17, 2017 2:24 pm
by vaah
+1
I'd like to see DNScrypt be implemented into RouterOS, I currently use tomato router to get the DNScrypt working.

Re: Feature request - DNSCrypt support...

Posted: Mon Apr 17, 2017 2:45 pm
by GreySer
+1
Now using openwrt under vmware.

Re: Feature request - DNSCrypt support...

Posted: Sat Apr 22, 2017 12:22 am
by mdove
+1 please.

Thanks,
Mike

Re: Feature request - DNSCrypt support...

Posted: Sat Apr 22, 2017 2:03 pm
by Florian
+1.

Re: Feature request - DNSCrypt support...

Posted: Mon May 08, 2017 6:57 pm
by yngndrw
+1, would love to see this implemented.

Re: Feature request - DNSCrypt support...

Posted: Tue May 23, 2017 7:56 am
by Neddy
I register to post this request.

Please add support for DNScrypt on RouterOS, it protects our users privacy. I highly appreciate.

Re: Feature request - DNSCrypt support...

Posted: Thu May 25, 2017 5:09 pm
by majestic
Doesn't this supersede DNScrypt, plus, is now an accepted standard? https://tools.ietf.org/html/rfc7858

But it is still a very fresh RFC
If you could add support for this, it would be great for everyone or even DNSCrypt which a lot of people use and is more common/known to them. Either would be acceptable. I kinda expect that RFC7858 would be easier to add as the support for unbound has been out quite a long time now if I recall even tho the RFC is quite young as you pointed out.

My only solution right now is to install say Softether onto the resolvers themselfs, then getting the MTK to connect to it and use it as its DNS server. Not a great solution due to if the VPN drops/dies, the DNS for the network would also fold as they would be pointed to the private IP's.

Re: Feature request - DNSCrypt support...

Posted: Sat Jun 03, 2017 10:18 am
by platitude
+1 for this feature. It is highly important to implement it, especially for users and admins from countries with internet censorship (like me). Hope to see it soon. Thanks!

Re: Feature request - DNSCrypt support...

Posted: Sun Jun 25, 2017 9:56 pm
by Yekver
+100!!!!

Re: Feature request - DNSCrypt support...

Posted: Tue Jun 27, 2017 8:38 am
by WildCat
+1
It's a necessity for users from Russia and other countries with a barbarous attitude to the Internet.

Re: Feature request - DNSCrypt support...

Posted: Tue Jun 27, 2017 11:15 am
by Diamond
+1
Necessary today feature

Re: Feature request - DNSCrypt support...

Posted: Sat Jul 01, 2017 1:53 pm
by Rader
+1 for DNSCrypt
It is very necessary today!

Re: Feature request - DNSCrypt support...

Posted: Fri Oct 13, 2017 9:41 am
by netbus
+1
I need this

Re: Feature request - DNSCrypt support...

Posted: Tue Oct 24, 2017 8:55 am
by Joni
Since it is not mentioned yet... "However, just enabling "DNS over TLS" feature would not prevent your ISP to know what websites you visit. Server Name Indication (SNI) — an extension of the TLS protocol — also indicates ISPs that which hostname is being contacted by the browser at the beginning of the 'handshake' process." https://thehackernews.com/2017/10/andro ... r-tls.html

Re: Feature request - DNSCrypt support...

Posted: Tue Oct 24, 2017 9:55 am
by netbus
Since it is not mentioned yet...
We are talking about DNSCrypt not DNS over TLS

Re: Feature request - DNSCrypt support...

Posted: Tue Oct 24, 2017 10:58 am
by Joni
Excellent point, DNSCrypt vs DNS over TLS

However doesn't it have the same "issue"? (being a different protocol, HTTP(S) vs DNS)
AFAIK, overly simplified the only difference being "Instead of relying on trusted certificate authorities commonly found in web browsers, the client has to explicitly trust the public signing key of the chosen provider."

btw. You intend to reference the official site https://dnscrypt.org instead of the commercial Cisco OpenDNS @ https://www.opendns.com/about/innovations/dnscrypt/

Re: Feature request - DNSCrypt support...

Posted: Tue Oct 24, 2017 11:35 am
by netbus
With this two methods, DNS Requests/Responses are encrypted. It's not fully anonymity but a step to exacerbate life for some snooper.
Only when visiting https websites "(SNI)" Problem is present.

Re: Feature request - DNSCrypt support...

Posted: Tue Oct 24, 2017 12:19 pm
by Joni
Well this isn't about websites, considering the current "HTTPS everywhere" movement this sounds a bit more than "only", as SNI is a TLS extension, not HTTP.

(just to elaborate how the implementation of DNSCrypt or DNS over TLS (DNSS) itself isn't much of an advancement, especially in relation to a service at the same IP and port being just as available without the hostname, unless using SNI, which is still visible. Not saying it's better than nothing but just emphasizing that it doesn't do all that much)

Re: Feature request - DNSCrypt support...

Posted: Tue Oct 24, 2017 2:43 pm
by yngndrw
DNSCrypt is not intended to provide privacy, it's intended to help prevent DNS spoofing.

Re: Feature request - DNSCrypt support...

Posted: Tue Oct 24, 2017 7:45 pm
by Joni
Just emphasizing as many presume one with the other.
Could you reference the intention? It's not a authentication protocol but an encryption protocol... hence the name... not that it could fix SNI but since you specified intentions...

Re: Feature request - DNSCrypt support...

Posted: Tue Oct 24, 2017 8:25 pm
by yngndrw
The best reference for the intentions would be the first paragraph of the DNSCrypt website:
DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered with.
There is no mention of privacy and you wouldn't expect it due to the SNI issue that you mentioned earlier.

The term "security" is quite a broad one and the security referenced in those security vs privacy articles are referring to national security and the need for surveillance, rather that security in the sense of authentication and verification. You can most certainly have security (The authentication kind) without privacy being a fundamental requirement, which is how public-private key cryptography works. (I.e. The public key is, as the name suggests, public - But knowledge of the public key does not allow a third party to impersonate the private key holder)

Unless I'm misunderstanding the scope of DNSCrypt, the primary usage of a pinned key-pair provides signing (Hence authentication of the server) rather than encryption - Encryption is just a side-effect of using SSL.

Re: Feature request - DNSCrypt support...

Posted: Wed Oct 25, 2017 10:49 am
by deathmagicmedia
+1 please.

Re: Feature request - DNSCrypt support...

Posted: Thu Nov 02, 2017 3:03 pm
by timonlio
+1 for DNSCrypt, very useful feature

Re: Feature request - DNSCrypt support...

Posted: Sun Nov 05, 2017 7:13 pm
by Xtreme512
hope to see it in new routeros version.

Re: Feature request - DNSCrypt support...

Posted: Sat Nov 25, 2017 8:43 am
by lapki
DNScrypt ready? I would like to install it on my device :)

Re: Feature request - DNSCrypt support...

Posted: Mon Dec 04, 2017 10:58 pm
by cgood
+1 DNSCRYPT-PROXY support! Thank you!

Re: Feature request - DNSCrypt support...

Posted: Wed Dec 13, 2017 5:35 pm
by sergeykoch
+1 for dnscrypt support

Re: Feature request - DNSCrypt support...

Posted: Fri Dec 15, 2017 11:08 pm
by m3763
Just registered to add my +1 for support

Re: Feature request - DNSCrypt support...

Posted: Sun Dec 31, 2017 3:10 am
by netravnen
+1

dnscrypt-proxy added as a separate npk package ?

So initially not a full-blown server. Just a forwarder.

Re: Feature request - DNSCrypt support...

Posted: Mon Jan 08, 2018 1:05 pm
by Joni
Well that problem got resolved... funny how things turn out in completely unexcpected ways... wait, no... https://www.reddit.com/r/linux/comments ... abandoned/

Re: Feature request - DNSCrypt support...

Posted: Sat Feb 17, 2018 12:13 pm
by badass
my +1 for support

Re: Feature request - DNSCrypt support...

Posted: Tue Apr 03, 2018 12:12 pm
by Lion
+1
где DNS-over-TLS и DNS-over-HTTPS ?

Re: Feature request - DNSCrypt support...

Posted: Sat Apr 14, 2018 9:54 pm
by anav
Well that problem got resolved... funny how things turn out in completely unexcpected ways... wait, no... https://www.reddit.com/r/linux/comments ... abandoned/
Don't look so sad there Mr Coyote......... In any case one has to follow standards, the RFC bouncing ball. :-)
By the way, I could use your sign every time I open WINBOX. ;-)

Re: Feature request - DNSCrypt support...

Posted: Sat Apr 21, 2018 7:33 pm
by BioDranik
+1 for DNSCrypt, HTTPS-DNS or TLS-DNS

Re: Feature request - DNSCrypt support...

Posted: Sun Apr 22, 2018 2:04 am
by blackzero
Please do this. Anything man, DNSCrypt or DNS over TLS. I can do with either. Just do it don't be lazy.

Re: Feature request - DNSCrypt support...

Posted: Sat May 12, 2018 12:53 am
by BigDT
+1 For DNScrypt support. also DNS over TLS or DNS over HTTPS

Its very useful for country like Indonesia.
ISP here use Transparent DNS and cannot use the standard 53 dns port

Re: Feature request - DNSCrypt support...

Posted: Tue Jun 26, 2018 1:04 pm
by xkubus
+1, we are waiting for years to implement. Developers, please pay attention to the number of applicants.

Re: Feature request - DNSCrypt support...

Posted: Tue Jun 26, 2018 1:27 pm
by msatter
In the time being you can use Unbound on RaspberryPI to have the current DNS securities.

https://unbound.net/

Re: Feature request - DNSCrypt support...

Posted: Sun Jul 08, 2018 8:37 pm
by cREoz
+1 for DNSCrypt support

Re: Feature request - DNSCrypt support...

Posted: Sun Jul 08, 2018 10:36 pm
by mlenhart
+1 for DNSSec/DNSCrypt

Re: Feature request - DNSCrypt support...

Posted: Mon Jul 09, 2018 2:00 am
by cavok
I'm using dnscrypt via a raspberry in combination with pi-hole and OpenDNS. Works perfectly for alle my internal clients and I dont have to use a dnscrypt proxy on every mashine. If anyone is interested in configuring it (especially as their are some compatibility tricks you have to be aware of) I can provide you a the required steps to make it work :)
Would love to get this info, please.

Re: Feature request - DNSCrypt support...

Posted: Tue Jul 10, 2018 6:23 pm
by vladvalmont
+1 for DNSCrypt support

Re: Feature request - DNSCrypt support...

Posted: Wed Jul 11, 2018 2:35 am
by foxxiu7
I'm using dnscrypt via a raspberry in combination with pi-hole and OpenDNS. Works perfectly for alle my internal clients and I dont have to use a dnscrypt proxy on every mashine. If anyone is interested in configuring it (especially as their are some compatibility tricks you have to be aware of) I can provide you a the required steps to make it work :)
Would love to get this info, please.
I'm also interested how to add DNSCrypt support on the RPi as currently I'm using two MikroTiks and RaspberryPi with pi-hole and OpenDNS.

Re: Feature request - DNSCrypt support...

Posted: Sat Sep 15, 2018 8:41 pm
by Anastasia
+1 for DNSCrypt support

Re: Feature request - DNSCrypt support...

Posted: Thu Oct 04, 2018 11:40 am
by MikroRouter
Hope this can be implemented soon...

Re: Feature request - DNSCrypt support...

Posted: Mon Oct 08, 2018 7:47 am
by thief
+1 for DNSSec/DNSCrypt

Re: Feature request - DNSCrypt support...

Posted: Tue Oct 09, 2018 8:39 pm
by Kamaz
+1 for DNSSec/DNSCrypt

Re: Feature request - DNSCrypt support...

Posted: Wed Oct 10, 2018 2:31 pm
by Azure
Doesn't this supersede DNScrypt, plus, is now an accepted standard? https://tools.ietf.org/html/rfc7858

But it is still a very fresh RFC
Yes! This!
DNScrypt is great and all... But I'd like to see DNS-TLS as Quad9 supports it.
In the end, either is better than neither!

https://www.quad9.net/faq/#Does_Quad9_s ... S_over_TLS

Re: Feature request - DNSCrypt support...

Posted: Thu Oct 25, 2018 9:23 am
by skiif
+1 for DNS-over-TLS as it's an IETF approved standard, but of course DNScrypt and DNS-HTTPs also will be very appreciated.

Re: Feature request - DNSCrypt support...

Posted: Thu Oct 25, 2018 11:55 am
by Chupaka
DNS over TLS is now supported both by CloudFlare (1.1.1.1) and Google (8.8.8.8), so looks like it's time =)

Re: Feature request - DNSCrypt support...

Posted: Thu Oct 25, 2018 12:54 pm
by Joni
DoH is incompatible with the basic architecture of the DNS because it moves control plane (signalling) messages to the data plane (message forwarding), and that's a no-no.
https://www.theregister.co.uk/2018/10/2 ... _standard/

Re: Feature request - DNSCrypt support...

Posted: Sun Oct 28, 2018 2:00 pm
by nimbo78
DNS over TLS is now supported both by CloudFlare (1.1.1.1) and Google (8.8.8.8), so looks like it's time =)
+1

Re: Feature request - DNSCrypt support...

Posted: Wed Nov 28, 2018 4:21 pm
by estas
+1 for DNS-over-TLS and DNSCrypt!
and also waiting UDP Proxy...

Re: Feature request - DNSCrypt support...

Posted: Mon Jan 07, 2019 10:38 am
by xkubus
+1 Please!

Re: Feature request - DNSCrypt support...

Posted: Tue Jan 08, 2019 1:19 am
by EvgeniyV
+1
interesting, how many people still have to write "+1" that this gave the result? :-?

Re: Feature request - DNSCrypt support...

Posted: Mon Jan 14, 2019 11:30 am
by Kamaz
Google provides DNS-over-TLS https://developers.google.com/speed/pub ... s-over-tls from January 2019,
also it provides DNS-over-HTTPS https://developers.google.com/speed/pub ... over-https from September 2018.

Re: Feature request - DNSCrypt support...

Posted: Mon Jan 14, 2019 12:04 pm
by cgood
+1
interesting, how many people still have to write "+1" that this gave the result? :-?
Topic started at 30 Jan 2012 09:55 ... we wait for a miracle

Re: Feature request - DNSCrypt support...

Posted: Mon Jan 14, 2019 1:59 pm
by vecernik87
Topic started at 30 Jan 2012 09:55 ... we wait for a miracle
No. It just proves how futile is the idea of implementing nonstandard or nonstable technologies - they are gone withing few years. Where is DNScrypt today? Is it massively accepted? No. If mikrotik implemented it back then, it would be enormous waste of time.
Wait for standardized solution which is widely accepted. Then ask for support and you got at least a chance...

Re: Feature request - DNSCrypt support...

Posted: Mon Jan 14, 2019 9:39 pm
by cgood
Topic started at 30 Jan 2012 09:55 ... we wait for a miracle
No. It just proves how futile is the idea of implementing nonstandard or nonstable technologies - they are gone withing few years. Where is DNScrypt today? Is it massively accepted? No. If mikrotik implemented it back then, it would be enormous waste of time.
Wait for standardized solution which is widely accepted. Then ask for support and you got at least a chance...
ovpn UDP support may be too "enormous waste of time"?

Re: Feature request - DNSCrypt support...

Posted: Thu Jan 17, 2019 2:36 am
by poizzon
+10

Re: Feature request - DNSCrypt support...

Posted: Thu Jan 17, 2019 8:28 am
by Chupaka
+10
+10 to "enormous waste of time"? :)

Re: Feature request - DNSCrypt support...

Posted: Thu Jan 17, 2019 8:45 am
by normis
Instead of wordless pluses, how about a discussion on TLS vs HTTPS.
TLS gives you a specific port and capability to filter and NAT etc. HTTPS gives you more security, but also the inability to catch this traffic as an administrator. More aspects?

Re: Feature request - DNSCrypt support...

Posted: Thu Jan 17, 2019 1:43 pm
by Chupaka
HTTPS gives you more security
Huh?..
inability to catch this traffic as an administrator
Well, as it was earlier - by IP address :)

But generally yes - it's harder for your ISP to block/redirect DoH than DoT as it uses shared port number (443).

Re: Feature request - DNSCrypt support...

Posted: Thu Jan 17, 2019 2:24 pm
by normis
Huh? Since DNS over HTTPS uses port 443 and there is no visual difference in traffic type, admin can't intercept or block this traffic (except by destination address).

Re: Feature request - DNSCrypt support...

Posted: Thu Jan 17, 2019 3:20 pm
by cgood
Huh? Since DNS over HTTPS uses port 443 and there is no visual difference in traffic type, admin can't intercept or block this traffic (except by destination address).
When will the DoH appear 😚? Когда же?

Re: Feature request - DNSCrypt support...

Posted: Thu Jan 17, 2019 3:21 pm
by Chupaka
What about SNI? :) ESNI is not on stage currently

Re: Feature request - DNSCrypt support...

Posted: Thu Jan 17, 2019 3:26 pm
by cgood
At home i'm mangling DNS fwd+out connections and redirect to EU OVPN (CHR VPS), but DoH = peer-to-peer encryption & we all need it (=

Re: Feature request - DNSCrypt support...

Posted: Thu Jan 17, 2019 3:29 pm
by normis

Re: Feature request - DNSCrypt support...

Posted: Thu Jan 17, 2019 4:36 pm
by ErfanDL
add DNSSEC features

Sent from my C6833 using Tapatalk


Re: Feature request - DNSCrypt support...

Posted: Thu Jan 17, 2019 4:43 pm
by normis
add DNSSEC features

Sent from my C6833 using Tapatalk
What does it mean?

Re: Feature request - DNSCrypt support...

Posted: Thu Jan 17, 2019 6:35 pm
by ErfanDL
add DNSSEC features

Sent from my C6833 using Tapatalk
What does it mean?
https://en.m.wikipedia.org/wiki/Domain_ ... Extensions

Sent from my C6833 using Tapatalk


Re: Feature request - DNSCrypt support...

Posted: Mon Jan 21, 2019 10:15 pm
by anthonws
Instead of wordless pluses, how about a discussion on TLS vs HTTPS.
TLS gives you a specific port and capability to filter and NAT etc. HTTPS gives you more security, but also the inability to catch this traffic as an administrator. More aspects?
Both would be the ideal scenario :) Naturally that I understand that there's budget/resources constrains and prioritization of features, and therefore that is not viable.

Using Mikrotik mainly as Home gear, my natural choice would be to go with DoH. But, since your main target is Enterprise then it makes sense to invest on the DoT first. I'm sure that the Home users/clients like me will be able to still use DoT.

Ultimately, one or the other will provide the additional security (with more or less controls) that the majority of your customers are looking for :)

What about SNI? :) ESNI is not on stage currently
Isn't that at the Browser level only?

Re: Feature request - DNSCrypt support...

Posted: Tue Jan 22, 2019 4:31 pm
by anav
At a minimum, from a practical point of view, wouldn't it matter more that juniper, cisco, fortigate, zyxel etc......... started implementing such technologies.
Further if mikrotik saw a decrease in sales and an erosion in the current base to such vendors due to technology available elsewhere, then they would be forced to move.
However, that would be too late so it is a matter of timing besides the other usual suspects, money, human resources, code stability, hardware limitations.......

.

Re: Feature request - DNSCrypt support...

Posted: Wed Feb 13, 2019 12:41 pm
by R1CH
Instead of wordless pluses, how about a discussion on TLS vs HTTPS.
TLS gives you a specific port and capability to filter and NAT etc. HTTPS gives you more security, but also the inability to catch this traffic as an administrator. More aspects?
Why not both? Although DNS over HTTPS seems to be the way forward, very few providers are actually deploying DNS over TLS. As long as you maintain a persistent connection to the resolver, latency should be minimal.

Re: Feature request - DNSCrypt support...

Posted: Wed Feb 13, 2019 11:30 pm
by eworm
At FOSDEM 2019 Daniel Stenberg (the maintainer of curl) had a talk about DNS over HTTPS - the good, the bad and the ugly. Very interesting topic and he scheds some light on DoT, DNScrypt, DNSsec & Co as well.

IMHO DoH is the way to go.

Re: Feature request - DNSCrypt support...

Posted: Sun Mar 03, 2019 9:57 am
by pothi
As an administrator, I'd like to have some (or full) control over the traffic, thus favoring DNS over TLS.

As a user, I don't want any control over my internet connection, thus supporting DNS over HTTPS.

Both are better than plain text DNS query.

Re: Feature request - DNSCrypt support...

Posted: Thu Mar 14, 2019 3:50 pm
by kenyloveg
Can we just holding back these advanced fancy DNS standards, but support setting up non-standard tcp/udp port in /ip dns?
Just a little update in 6.45, or maybe 6.46...
DNS pollution(intercept plain text like google from udp 53 port then return 127.0.0.1) is very easy way for a ISP to do if mikrotik device (and most common soho devices) only support udp 53.
BTW, I'm using below rules to redirect dns port.
add action=dst-nat chain=dstnat dst-address=208.67.220.220 dst-port=53 protocol=udp to-addresses=208.67.220.220 to-ports=5353
add action=dst-nat chain=dstnat dst-address=208.67.222.222 dst-port=53 protocol=udp to-addresses=208.67.222.222 to-ports=5353

Re: Feature request - DNSCrypt support...

Posted: Sun Apr 07, 2019 10:37 pm
by mutinsa
+1.

Re: Feature request - DNSCrypt support...

Posted: Mon Apr 08, 2019 12:14 am
by anav
Can we just holding back these advanced fancy DNS standards, but support setting up non-standard tcp/udp port in /ip dns?
Just a little update in 6.45, or maybe 6.46...
DNS pollution(intercept plain text like google from udp 53 port then return 127.0.0.1) is very easy way for a ISP to do if mikrotik device (and most common soho devices) only support udp 53.
BTW, I'm using below rules to redirect dns port.
add action=dst-nat chain=dstnat dst-address=208.67.220.220 dst-port=53 protocol=udp to-addresses=208.67.220.220 to-ports=5353
add action=dst-nat chain=dstnat dst-address=208.67.222.222 dst-port=53 protocol=udp to-addresses=208.67.222.222 to-ports=5353
Why limit the destination address to one pubic DNS server. Why not just dstport 53 protocol udp/tcp redirect to port 5353 (sounds like dnssec for pihole).
In your rule, somebody hardcoding 8.8.8.8 or 1.1.1.1 would not get trapped.

Re: Feature request - DNSCrypt support...

Posted: Wed Apr 10, 2019 12:46 am
by anthonws
DoH is no longer a "waste of time" and it's now massively used by the industry (there's even Android Apps to turn on that nowadays with CloudFare for example).

So, questions:

1. Is there an intention from Mikrotik to implement this?
2. Is there a sharable roadmap for the feature to be implemented?
3. If #1 = negative, why and what's the alternative for your users to be able to make use of such technologies?

Thanks,
anthonws.

Re: Feature request - DNSCrypt support...

Posted: Mon Apr 15, 2019 7:39 am
by kenyloveg
Can we just holding back these advanced fancy DNS standards, but support setting up non-standard tcp/udp port in /ip dns?
Just a little update in 6.45, or maybe 6.46...
DNS pollution(intercept plain text like google from udp 53 port then return 127.0.0.1) is very easy way for a ISP to do if mikrotik device (and most common soho devices) only support udp 53.
BTW, I'm using below rules to redirect dns port.
add action=dst-nat chain=dstnat dst-address=208.67.220.220 dst-port=53 protocol=udp to-addresses=208.67.220.220 to-ports=5353
add action=dst-nat chain=dstnat dst-address=208.67.222.222 dst-port=53 protocol=udp to-addresses=208.67.222.222 to-ports=5353
Why limit the destination address to one pubic DNS server. Why not just dstport 53 protocol udp/tcp redirect to port 5353 (sounds like dnssec for pihole).
In your rule, somebody hardcoding 8.8.8.8 or 1.1.1.1 would not get trapped.
Tested this works with opendns, but failed with cloudflare or some other public dns. (assume ISP rules to intercept opendns is not created for now)

Re: Feature request - DNSCrypt support...

Posted: Tue Apr 30, 2019 6:00 pm
by obesbash
+1 for DNSSec/DNSCrypt

Re: Feature request - DNSCrypt support...

Posted: Wed Jun 12, 2019 3:04 pm
by darkmanlv
+1 DNSCrypt, when?

Re: Feature request - DNSCrypt support...

Posted: Sun Jun 16, 2019 7:24 am
by febhost32
+1 for DNSCrypt

Re: Feature request - DNSCrypt support...

Posted: Fri Jun 21, 2019 4:07 pm
by karo84
+10000 for DNSSec/DNSCrypt . It is a big need today to use DNSCrypt. Thanks!

Re: Feature request - DNSCrypt support...

Posted: Fri Jun 28, 2019 3:26 pm
by mutinsa
up
+1.

Re: Feature request - DNSCrypt support...

Posted: Wed Jul 31, 2019 8:07 pm
by kathampy
I would also like to see DNS over HTTPS support so I can use Cloudflare's service. Since the RouterOS DNS service is only a forwarder, DNSSEC can only be done by the upstream iterative resolver. To prevent tampering between RouterOS and the upstream resolver, DNS over HTTPS is required.

Re: Feature request - DNSCrypt support...

Posted: Wed Jul 31, 2019 8:18 pm
by ErfanDL
+1M

Sent from my SM-A705FN using Tapatalk


Re: Feature request - DNSCrypt support...

Posted: Sat Aug 03, 2019 12:16 am
by konigman
Mikrotik is a business, so we have to treat this feature request as such. Not on ideological (privacy of user) or technical (DoT vs DoH) grounds.

That said, the question Mikrotik is asking themselves is obvious. Is this feature "worth it"?

Our approach should be to not only say "yes" with a sea of +1s (by the way, can there not be some annual feature request poll, annual feedback survey or something like that), but provide arguments that support this conclusion.

For example;

Which major DNS providers now offer DoT/DoH?
Which competing network hardware manufacturers provide DoT/DoH or are planning to?
Which consumer devices support DoT/DoH? The point here is that if consumers start using DoT/DoH, then they will expect to see it in the network gear in their homes, workplace, ISPs.

Now, did you expect me to provide answers to the above? Too bad. I'm Friday-lazy, but consider this me trying to get the ball rolling. :D

Ok, fine. Here's a list of DNS providers https://en.wikipedia.org/wiki/Public_re ... ame_server so it's evident Cloudflare, Google and Quad9 are leading the way.
Also, about consumer devices, we have "Private DNS" in Android 9.0, which accepts DoT.
Regarding competing firms, someone in the know could chime in.

Re: Feature request - DNSCrypt support...

Posted: Sat Aug 03, 2019 12:32 pm
by WojtusW5
+1 a very good idea that encrypted DNS support will be implemented in RouterOS

Re: Feature request - DNSCrypt support...

Posted: Sat Aug 03, 2019 2:26 pm
by anthonws
Mikrotik is a business, so we have to treat this feature request as such. Not on ideological (privacy of user) or technical (DoT vs DoH) grounds.

That said, the question Mikrotik is asking themselves is obvious. Is this feature "worth it"?

Our approach should be to not only say "yes" with a sea of +1s (by the way, can there not be some annual feature request poll, annual feedback survey or something like that), but provide arguments that support this conclusion.

For example;

Which major DNS providers now offer DoT/DoH?
Which competing network hardware manufacturers provide DoT/DoH or are planning to?
Which consumer devices support DoT/DoH? The point here is that if consumers start using DoT/DoH, then they will expect to see it in the network gear in their homes, workplace, ISPs.

Now, did you expect me to provide answers to the above? Too bad. I'm Friday-lazy, but consider this me trying to get the ball rolling. :D

Ok, fine. Here's a list of DNS providers https://en.wikipedia.org/wiki/Public_re ... ame_server so it's evident Cloudflare, Google and Quad9 are leading the way.
Also, about consumer devices, we have "Private DNS" in Android 9.0, which accepts DoT.
Regarding competing firms, someone in the know could chime in.
All good points that have been indefinitely mentioned throughout the forum in numerous threads.

Just forget it. It's not going to happen.

There's no objective Customer Care/Success Unit strategy from Mikrotik, let alone someone or some Business Unit looking into these forums, other than support.

Honestly (and I'm not the only one saying this), take you're money elsewhere for your next network equipment acquisition.

Re: Feature request - DNSCrypt support...

Posted: Wed Sep 11, 2019 12:47 am
by drdedus
+1 for DNSSec/DNSCrypt

Re: Feature request - DNSCrypt support...

Posted: Thu Sep 26, 2019 12:53 am
by 3dfx
Any updates on the topic?

Re: Feature request - DNSCrypt support...

Posted: Mon Oct 14, 2019 7:02 am
by kenyloveg
Never tried V7 beta, something new in the DNS section?

Re: Feature request - DNSCrypt support...

Posted: Mon Oct 14, 2019 6:42 pm
by Sob
Nothing I can see. But it's early beta and the main goal is to have new kernel, not so much new features, even though there are some (not for DNS).

Re: Feature request - DNSCrypt support...

Posted: Thu Oct 17, 2019 5:20 am
by kenyloveg
Nothing I can see. But it's early beta and the main goal is to have new kernel, not so much new features, even though there are some (not for DNS).
Thank you.